chore: add draft v1 .well-known endpoints

sanderPostma · sanderPostma · commit 7af1d0152aa9 · 2025-10-16T16:58:21.000+02:00
diff --git a/packages/issuer-rest/lib/OID4VCIServer.ts b/packages/issuer-rest/lib/OID4VCIServer.ts
@@ -175,7 +175,17 @@ export class OID4VCIServer {
       opts.asClientOpts || this._issuer.asClientOpts ? ({ ...opts.asClientOpts, ...this._issuer.asClientOpts } as ClientMetadata) : undefined
 
     pushedAuthorizationEndpoint(this.router, this.issuer, this.authRequestsData)
-    getMetadataEndpoints(this.router, this.issuer)
+
+  // Create root router for alternative .well-known endpoints if needed
+  const basePath = getBasePath(this.baseUrl)
+  let rootRouter: express.Router | undefined
+  if (basePath && basePath !== '/') {
+    rootRouter = express.Router()
+    this._app.use('/', rootRouter)
+  }
+
+  getMetadataEndpoints(this.router, this.issuer, rootRouter, this.baseUrl)
+
     let issuerPayloadPath: string | undefined
     if (this.isGetIssuePayloadEndpointEnabled(opts?.endpointOpts?.getIssuePayloadOpts)) {
       issuerPayloadPath = getCredentialOfferReferenceEndpoint(this.router, this.issuer, {
@@ -227,7 +237,7 @@ export class OID4VCIServer {
         baseUrl: this.baseUrl,
       })
     }
-    this._app.use(getBasePath(this.baseUrl), this._router)
+    this._app.use(basePath, this._router)
   }
 
   public get app(): Express {
diff --git a/packages/issuer-rest/lib/oid4vci-api-functions.ts b/packages/issuer-rest/lib/oid4vci-api-functions.ts
@@ -716,7 +716,7 @@ export function pushedAuthorizationEndpoint(
   })
 }
 
-export function getMetadataEndpoints(router: Router, issuer: VcIssuer) {
+export function getMetadataEndpoints(router: Router, issuer: VcIssuer, rootRouter?: Router, baseUrl?: URL | string) {
   const credentialIssuerHandler = (request: Request, response: Response) => {
     return response.json(issuer.issuerMetadata)
   }
@@ -725,36 +725,20 @@ export function getMetadataEndpoints(router: Router, issuer: VcIssuer) {
     return response.json(issuer.authorizationServerMetadata)
   }
 
-  // Original endpoints
+  // Original endpoints on the context router
   router.get(WellKnownEndpoints.OPENID4VCI_ISSUER, credentialIssuerHandler)
   router.get(WellKnownEndpoints.OAUTH_AS, authorizationServerHandler)
 
-  // Alternative endpoints with .well-known at root
-  const alternativeCredentialIssuerEndpoint = getAlternativeWellKnownEndpoint(WellKnownEndpoints.OPENID4VCI_ISSUER)
-  const alternativeAuthServerEndpoint = getAlternativeWellKnownEndpoint(WellKnownEndpoints.OAUTH_AS)
-
-  if (alternativeCredentialIssuerEndpoint) {
-    router.get(alternativeCredentialIssuerEndpoint, credentialIssuerHandler)
-  }
-
-  if (alternativeAuthServerEndpoint) {
-    router.get(alternativeAuthServerEndpoint, authorizationServerHandler)
-  }
-}
-
-function getAlternativeWellKnownEndpoint(originalEndpoint: string): string | null {
-  const wellKnownIndex = originalEndpoint.indexOf('/.well-known/')
-  if (wellKnownIndex <= 0) {
-    return null
+  // Alternative root-level endpoints if rootRouter provided
+  if (rootRouter && baseUrl) {
+    const basePath = getBasePath(baseUrl)
+    if (basePath && basePath !== '/') {
+      rootRouter.get(`/.well-known/openid-credential-issuer${basePath}`, credentialIssuerHandler)
+      rootRouter.get(`/.well-known/oauth-authorization-server${basePath}`, authorizationServerHandler)
+    }
   }
-
-  const contextPath = originalEndpoint.substring(0, wellKnownIndex)
-  const wellKnownResource = originalEndpoint.substring(wellKnownIndex + '/.well-known/'.length)
-
-  return `/.well-known/${wellKnownResource}${contextPath}`
 }
 
-
 export function determinePath(
   baseUrl: URL | string | undefined,
   endpoint: string,
